This article covers how to install a BIOS update from Dell to patch Meltdown and Spectre CPU hardware vulnerabilities using an SCCM Task Sequence.
|It is highly recommended all files are backed up prior to updating the BIOS on any computer!|
If you have any questions, please contact firstname.lastname@example.org.
- Supported OS: Windows 7 or Windows 10 (64 Bit)
- The computer must be actively enrolled in SCCM on the WIN Domain and connected to MITnet via MIT Secure or Ethernet on campus.
- Only this one task sequence is needed to deploy BIOS updates to all currently supported Dell computers listed below. The task sequence will only install the correct BIOS to the related model.
- This task sequence is only set to work on Dell computers. If it gets deployed to a different vendor nothing will actually install. You may see an error message that the task sequence failed as the computer is not supported. If you have multiple vendors in your department you can exclude the non-Dell computers when deploying this task sequence to your collection.
- If the task sequence is deployed to a Dell computer that is not currently supported for a BIOS upgrade, BitLocker will be suspended if enabled, the computer will restart, and BitLocker will be re-enabled if previously suspended. A BIOS update will not be completed since a BIOS file does not exist. Again these computers can be excluded from the collections you are deploying the task sequence to.
Dell Supported Models as of (August 20, 2019):
- Dell Latitude 3470 - BIOS 1.10.1
- Dell Latitude 5590 - BIOS 1.5.0
- Dell Latitude 5480/5580 - BIOS 1.12.0
- Dell Latitude 7310/7410 - BIOS 1.2.11
- Dell Latitude 7300/7400 - BIOS 1.3.11
- Dell Latitude 7290/7490 - BIOS 1.6.0
- Dell Latitude 7280/7380/7480 - BIOS 1.12.2
- Dell Latitude E5270/E5470/E5570 - BIOS 1.18.6
- Dell Latitude E5450 - BIOS A19
- Dell Latitude E6440 - BIOS A21
- Dell Latitude E6520 - BIOS A21
- Dell Latitude E6540 - BIOS A24
- Dell Latitude E7240 - BIOS A25
- Dell Latitude E7250 - BIOS A19
- Dell Latitude E7270/E7470 - BIOS 1.18.5
- Dell Latitude E7440 - BIOS A25
- Dell Latitude E7450 - BIOS A19
- Dell Optiplex 790 - BIOS A21
- Dell Optiplex 990 - BIOS A23
- Dell Optiplex 7010 - BIOS A29
- Dell Optiplex 7020 - BIOS A18
- Dell Optiplex 7040 - BIOS 1.15.5
- Dell Optiplex 7050 - BIOS 1.12.1
- Dell Optiplex 7060 - BIOS 1.4.2
- Dell Optiplex 7070 - BIOS 1.3.1
- Dell Optiplex 7440 AIO - BIOS 1.8.6
- Dell Optiplex 7450 AIO - BIOS 1.8.5
- Dell Optiplex 9020 AIO - BIOS A17
- Dell Optiplex 9020 - BIOS A22
- Dell Optiplex 9030 AIO - BIOS A19
- Dell Precision T3600 - BIOS A16
- Dell Precision T3610 - BIOS A16
Note: Additional models will be added as the become available from Dell.
|The update requires a restart which will happen automatically (60 second countdown before restarting).|
If your computers have a BIOS password set it will need to be cleared before deploying this task sequence. If a BIOS password is in place the task sequence will fail.
Best Practices for Laptops: Remove them from docks and ensure they are connected to a power supply before updating the BIOS.
The task sequence will automatically suspend BitLocker and re-enable it after the BIOS update is successfully completed when necessary. It does not de-crypt the drive. BitLocker is just temporarily disabled so the BIOS update can complete. This is for computers with Drive C: system drives only. If your computer has an encrypted drive used for its system other than Drive C: and/or has additional volumes encrypted (i.e. Data drives such as D: E: etc.) you will want to suspend BitLocker on all drives and update those computer BIOS' manually rather than using this task sequence in SCCM.
Note on re-enabling BitLocker: Windows 10 computers will re-enable BitLocker automatically after restarting. On Windows 7 computers you may see a message to click a box to re-enable BitLocker upon first logging in after the BIOS update. You may click that box or once the computer reconnects to the SCCM client it will re-enable BitLocker automatically for you.
Computers which are not encypted with BitLocker remain that way. The task sequence will not try to encrypt the drive. You may note some BitLocker errors in the log files related to non-encrypted computers that are expected and can be ignored. The task sequence is set to continue with these errors.
There are two (2) log files created during this process. Both files are located on the computer being updated under C:\Windows\CCM\Logs. The files are called:
DellBIOS.log - This will provide details on the BIOS update for the computer.
smsts.log - This will provide details on the Task Sequence in SCCM.
Downgrading a BIOS to a lower version is not recommended. By default Dell computers will not allow a downgrade. The task sequence will give an error message if it sees the BIOS version as the same or a lower version. The DellBIOS.log will note Error Code 3: that the currently installed BIOS is the same or a lower version and nothing is needed to be upgraded. If you computer was encrypted with BitLocker it was suspended and will need to be re-enabled. This can be done in Control Panel under BitLocker. For Windows 10 computers you can also just restart to re-enable BitLocker.
Queries are available to check BIOS versions in SCCM to exclude already patched computers. You can also obtain the currently installed BIOS locally on the computer under System Information prior to installing through Software Center.
The task sequence is called EPM - Dell BIOS Update.
It is located under Software Library / Operating Systems / Task Sequences / MIT Task Sequences
To deploy to a collection click the Deploy button or right click the Task Sequence and select deploy.
The Task Sequence can be scheduled to run automatically at a specific date/time or it can be deployed as Available through Software Center. Deploying through Software Center is generally recommended for these types of updates.
If deployed to Software Center, a user will be able to install the BIOS update under Operating Systems and will be given a warning before installing.
After the computer logs out of the Operating System you will be presented with a similar screen while the BIOS update completes:
|IMPORTANT: As noted DO NOT power down the system while the BIOS is being updated!|
When completed it will note the update was successful and the computer will restart back to your normal Windows log in screen. BitLocker will be re-enabled if necessary and the task sequence is complete.
As with any BIOS update there can be new issues introduced. These can range from performance issues to system instability. It is best to test BIOS updates on a few select machines before deploying updates to entire collections.
Currently there are no reported known issues for the machines listed above.
Should a system become unresponsive due to power loss etc. while trying to update the BIOS the following link from Dell offers some suggestions for recovery:
- Microsoft Endpoint Configuration Manager (MECM) Landing Page
- Meltdown and Spectre Detection and Remediation
If you have any questions, please contact email@example.com.